1. Field of Invention
The present invention relates generally to the field of software security. More specifically, the present invention is related to the detection of software tampering.
2. Discussion of Prior Art
With the advent of digital technologies for movies and music, the problem of unauthorized copying has become severe. Digital copies are perfect copies, and to prevent them from being widely redistributed across the Internet, numerous content protection technologies such as DTCP (Digital Transmission Content Protection) and CPRM (Content Protection for Recordable Media) have been developed. These technologies have “robustness terms” in their licenses, wherein the terms in such licenses provide for tamper resistant implementations. The development of tamper-resistant technologies, especially software tamper-resistant technologies, has become a growing industry.
Most intrusion detection mechanisms are used after the damage is done and, thus, are reactive. The term “proactive security” refers to the detection of what goes wrong during a process, such as an execution of software before the final damage is done. Prior art systems fail to provide for a proactive security mechanism to combat reverse-engineering of software. These prior art systems fail to identify evidence hackers leave behind during a reverse-engineering attempt. There is a need to proactively detect (and thereby prevent real damage from occurring by stopping the hacking when it is still in its infancy) an on-going reverse-engineering process before hackers succeed in the tampering and before they gain access to important information such as secret keys.
In general, prior art intrusion detection systems are reactive and use existing knowledge to watch for abnormalities. One way of watching for such abnormalities is by maintaining an “audit log”. The general concept of using an auditing log has existed for a long time. However, an “auditing log” scheme works better and more practically when it is applied for a specific “detection” purpose. In this scenario, one needs to identify the information that needs to be put into the log for the detection purpose and the verification process that should follow. Making the information in the log satisfy certain properties can at times not only make the scheme more efficient (in terms of reducing log size and creating a more efficient verification), but can also guarantee the verification process and detect the target anomaly.
Another relevant concept is “forward security” which is a formal property that has been identified and appeared in literatures for security. Forward security includes methods of preventing corruption of past code or logs after tampering has occurred. Future actions may be untrusted, but preexisting trusted items remain uncompromised.
The following references provide for a general description of reactive intrusion detection mechanisms.
The U.S. patent to Drake (U.S. Pat. No. 6,006,328) discloses a method for computer software authentication, protection, and security. The method involves replacing vulnerable code (e.g., vulnerable to eavesdropping) with equivalent code (with vulnerability removed) that communicates directly with hardware, and it disables system interrupts or other functions which would permit rogue software to eavesdrop. Tamper detection techniques are used within, or accessed by, the software to disallow the subsequent entry of ID-data into input routines if tampering is detected. The disclosed invention provides for the: execution of code checksums of RAM or other images; comparison of memory with other stored copies of executable code and/or decryption of the entry process; examination of executable environment; comparison of executable size with expected values; notification and/or transmission of authentication failure details to a third person or process; and recording of a log regarding the usage and/or details of the user (of input routines or secure entry processes).
The U.S. patent to Auerbach et al. (U.S. Pat. No. 5,673,316) provides for the creation and distribution of cryptographic envelopes. Disclosed within is an envelope with an aggregation of information parts wherein each part is encrypted with a part encryption key and a public key. The list is then signed with a secret key to generate a signature, which is also included in the envelope.
The European patent to Pearson (EP1076279-A1) discloses a computer platform with license-related code which is integrity checked with reference to signed versions and public key certificates. The computer platform or trusted module forms a tamper proof component wherein licensing checks can occur within a trusted environment that behaves as a user would expect. An associated clearinghouse mechanism enables registration and payment for data. The system also enables verification of the integrity of a platform by either a local user or a remote entity.
The U.S. patent to Allen et al. (U.S. Pat. No. 4,757,533) discloses a security system for a personal microcomputer which combines hardware and software to provide tamper-proof protection of user and file access. One of the disclosed chips provides an audit trail log, protection and encryption system flags, and user access rights, wherein the chip ensures that access is only gained by valid users.
The foreign patents WO200077597 A1, WO200114953 A1, and WO200077596 B1 disclose, generally, a tamper resistance method involving transforming the data flow in the computer software code to dissociate the observable operation of the transformed code from the intent of the original software code. The methods provide for making computer software resistant to tampering and reverse engineering.
The foreign patent to Stanton et al. (WO9904530 A1) discloses a file encryption method with session keys for use as a data encryption key to prevent tampering. The method using a strong encryption algorithm based on a shared secret key or public-private key cryptosystem which enables emergency access to the file by legal authorities.
The non-patent literature to Bellare et al. entitled, “Forward Integrity For Secure Audit Logs” provides a method for maintaining the security of audit logs. Disclosed applications include: securing audit logs (e.g., syslogd data) for intrusion detection or accountability, communications security, and authenticating partial results of computations for mobile agents.
The non-patent literature to Song entitled, “Practical Forward Secure Group Signature Schemes” provides for a forward security scheme to mitigate the damage caused by key exposure.
Whatever the precise merits, features, and advantages of the above cited references, none of them achieve or fulfills the purposes of the present invention.